This year’s RSA conference was a deluge of technology centered on the usual security suspects with an addition of recent year themes surrounding the challenges of cloud computing. Two years ago the conference was all about cloud, last year it was “Bob and Alice” (the challenges of compliance vs. defection surrounding lack of trust in cyberspace).This year’s “Mightier than the Sword” theme was the next logical step towards cyber warfare. After all, regardless of the strength of security controls, the presence of global information availability coupled with the absence of trust inevitably tends toward war. Perhaps it is time to work on this “trust” problem. After all, it’s all about risk… right?
Risk = Cost
So many items on wish lists get assigned to “cloud” that the risk associated with it is skyrocketing and, after all, I am all about risk here. The goal at the federal level is primarily cost savings but, as I have said repeatedly in this forum and others, risk is dollars and if risk is increasing, cost is increasing.
From this vantage, the greatest threat to adoption is the lack of adequate access control in the user-data relationship. This has been dealt with historically by host isolation and repetitive authentication processes. Now, “cloud” has stripped away that comfort food and replaced it with a bitter apple of application and data exposure with no mechanism to control authorization at the data level. If you don’t know where your data is then you’d better have assurance as to who has access to it. Sadly, this is not so and the best attempts by cloud providers to assure confidentiality, integrity and availability is reduced to only a very weak assurance of availability. This cannot stand!
Authentication is not enough in a connected world. Data has to be owned (private) or not owned (public) or specifically authorized (owned with digital rights assigned) and to do that we need to transform our thinking about identity management and access control. Anything else is to simply put the infrastructures that we have built over the last 40 years into a remote data center and pay for access to it and this works only for information you don’t really care about. For information we do care about, our cost — both direct and indirect through increased risk — will skyrocket, just like the cost of health care since we outsourced it to “managed care” providers 40 years ago. We need transparent principles of least access (POLA) built into applications and the user-data relationship a very granular levels. While there are a few brave researchers testing the waters, there is precious little effort in the cloud initiatives toward this.
So, what’s your data worth?
Photo courtesy of Courion
Share this article!